[RESOLVED] Password security confusion

@max2474Mar 17.2010

Hi. Having read many different things about security, I am now completely confused. The bane of learning…lmao.

(btw – kinda an sql question too…but think here is more appropriate ? )

As far as I understand

You can put your mysql host/username/password/user information in a PHP script as it is not possible for a user to see this information. ~~[URL=”http://www.webdeveloper.com/forum/showthread.php?t=226195″]~~http://www.webdeveloper.com/forum/showthread.php?t=226195[/URL]

It then stands to reason that information sought from the database via PHP is also safe from hackers.

If I am using PHP to check a users password against one stored in the database, i should be using MD5/SERIALIZE()/TLS/SSL/SHA1/.htaccess/etc etc…….

Surely if I need one/all these, then my original database access info is also at risk and the hacker could get all the db info anyway??

Am sure I am missing something, but have read to much now to know what.

to post a comment

PHP

6 Comments(s) _↴

@tirnaMar 17.2010 — #From my point of view I encrypt the password value going into the password column of a user db table mainly for the purpose of preventing anyone even with legitimate sql access to the user table from seeing users' actual unencrypted passwords by running a simple query like:

[CODE] 
 select * from tbluser;
 [/CODE]

Once I hand over an application to a client I have no way of controlling who they give admin access to the db and what any unscrupulous administrator might do with useable username/password pairs.

If a user forgets their password they could click a link on the login page. After answering some 'secret' questions correctly a php script could generate a new random password, encrypt it, write it to the user table and then send an email with the unencrypted password to the user's email address currently in the db. The user can then change their password once they log in with the new password.

This way , [B][U]no-one[/U][/B] except the user knows what the unencrypted password is.

@max2474authorMar 17.2010 — #Here you are helping me again...lol...thank you ?

So - if it will only ever be myself that has access to the db, it isn't so important, but if I hand access to a third party, then thats when it becomes important?

My question then would be, the third party would have access to all the rest of the db information anyhow and access to the information the password was protecting in the first place - thus making the password redundant?

As a by the by - if I use a 3rd party host for a server instead of my own computers - can't the host get access to your db's?

I believe you told me once that security is very important - perhaps i am taking it too far...lol.

@tirnaMar 17.2010 — #
So - if it will only ever be myself that has access to the db, it isn't so important, but if I hand access to a third party, then thats when it becomes important?
[/QUOTE]

Yes in general - but by default, unless told otherwise, I encrypt passwords.

My question then would be, the third party would have access to all the rest of the db information anyhow and access to the information the password was protecting in the first place - thus making the password redundant?
[/QUOTE]

Since the 3rd party has paid for it, and if they want to provide on-going maintenance themselves then when I hand it over, they have complete access to all the scripts etc etc and web site security then becomes their responsibility.

As a by the by - if I use a 3rd party host for a server instead of my own computers - can't the host get access to your db's?[/QUOTE]

I'm pretty sure they will, but their credibility would be shot down in flames if they were found tampering illegitimately with their clients' db's

But still another reason for encrypting passwords as I mentioned earlier so that even admin's with legitimate access to the tables can't see unencrypted passwords

I believe you told me once that security is very important - perhaps i am taking it too far...lol.
[/QUOTE]

? well to be honest, I'm starting to think that you might be - but in a nice way. All the issues you raised are totally valid. ?

@max2474authorMar 17.2010 — #Great ? Thanks for the info. A final question then, before I go to bed. I will have to wait to read the answer...lol.

Of all the security measures available - MD5,SERIALIZE(),TLS,SSL,SHA1 etc., which do you prefer?

Also, am still struggling to see the benefit of encripting the password as anyone would have access to the rest of the info in the db anyhow!

For my site, have decided to opt for three db's with different user info in each. #1 has email + first name, #2 has D.O.B. and join date, #3 has password and last name. There is more, but thats the idea - to split the info up.

All coding has been working so far, and have even thought of a way to move the rows in the tables around, so that you can't put them together even with access to all three dbs. Hope this makes sense and hope you like the idea!

Thanks yet again.

@tirnaMar 17.2010 — #no problem max2474.

To be honest, I'm not sure of the pros and cons of each but if you google them I'm sure there will be plenty of info.

For me personally, I am happy using sha1() as it meets my needs.

Also, am still struggling to see the benefit of encripting the password as anyone would have access to the rest of the info in the db anyhow!
[/QUOTE]

But no matter how big, small or sophisticated [B]any application [/B]is, there will always be someone or someone's with access to all of it. The aim is to reduce risk as much as possible as it's probably nearly impossible to eliminate all risk.

It's 1:30pm Melbourne time and about 32 degC at the moment. I'll have to pop out shortly as well and will try to pop in this evening Melbourne time. cheers ?

@NogDogMar 17.2010 — #When you [i]hash[/i] the password with something like sha1() (or the older and slightly less secure md5()) as opposed to [i]encrypting[/i] it, the hashed value is much harder to reverse, as hashing is considered to be "one-way encryption". The only way to decrypt a hashed string is via brute force trial-and-error and/or via a dictionary look-up of hashed words. Therefore, if you hash the passwords, if someone gets access to your DB in any manner, it is more of a challenge to discover actual passwords. If the person with the data has also gotten hold of your code and can figure out what "salt" you've used with your hash, they could in theory then use a brute-force process to guess passwords in the DB, but even that become quite difficult if you enforce a strong password policy (you know: at least on each of upper-case letter, lower-case letter, number, special character, etc....)

As with most things with security, the objective is to put numerous layers of security that a potential cracker must get by. In and of itself, hashing passwords is not a complete security solution, but as one of several layers in your security "onion" it is quite useful.

PS: I would strongly recommend reading [i]Essential PHP Security[/i] by Chris Shiflett (it's a pretty short book).

Also in #PHP _↴

Member system...Can I do TWO actions with one click?need ideas for optimizing mysql performance

Success!

Help @max2474 spread the word by sharing this article on Twitter...

Tweet This

[RESOLVED] Password security confusion

6 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

[RESOLVED] Password security confusion

6 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

6 Comments(s) _↴

Also in #PHP _↴